1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 package org.apache.wss4j.policy.stax.test;
20
21 import org.apache.wss4j.common.ext.WSSecurityException;
22 import org.apache.wss4j.policy.stax.enforcer.PolicyEnforcer;
23 import org.apache.wss4j.stax.ext.WSSConstants;
24 import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
25 import org.apache.wss4j.stax.impl.securityToken.X509SecurityTokenImpl;
26 import org.apache.wss4j.stax.securityEvent.OperationSecurityEvent;
27 import org.apache.wss4j.stax.securityEvent.SignedPartSecurityEvent;
28 import org.apache.wss4j.stax.securityEvent.X509TokenSecurityEvent;
29 import org.apache.xml.security.stax.ext.XMLSecurityConstants;
30 import org.apache.xml.security.stax.securityEvent.ContentEncryptedElementSecurityEvent;
31 import org.apache.xml.security.stax.securityToken.InboundSecurityToken;
32 import org.junit.jupiter.api.Test;
33
34 import javax.xml.namespace.QName;
35
36 import java.util.LinkedList;
37 import java.util.List;
38
39 import static org.junit.jupiter.api.Assertions.assertEquals;
40 import static org.junit.jupiter.api.Assertions.fail;
41
42 public class X509TokenTest extends AbstractPolicyTestBase {
43
44 @Test
45 public void testPolicy() throws Exception {
46 String policyString =
47 "<sp:AsymmetricBinding xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
48 "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
49 "<sp:InitiatorToken>\n" +
50 " <wsp:Policy>\n" +
51 " <sp:X509Token>\n" +
52 " <sp:IssuerName>CN=transmitter,OU=swssf,C=CH</sp:IssuerName>\n" +
53 " <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
54 " <sp:RequireThumbprintReference/>\n" +
55 " <sp:WssX509V3Token11/>\n" +
56 " </wsp:Policy>\n" +
57 " </sp:X509Token>\n" +
58 " </wsp:Policy>\n" +
59 "</sp:InitiatorToken>\n" +
60 "<sp:RecipientToken>\n" +
61 " <wsp:Policy>\n" +
62 " <sp:X509Token>\n" +
63 " <sp:IssuerName>CN=transmitter,OU=swssf,C=CH</sp:IssuerName>\n" +
64 " <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
65 " <sp:RequireThumbprintReference/>\n" +
66 " <sp:WssX509V3Token11/>\n" +
67 " </wsp:Policy>\n" +
68 " </sp:X509Token>\n" +
69 " </wsp:Policy>\n" +
70 "</sp:RecipientToken>\n" +
71 " <sp:AlgorithmSuite>\n" +
72 " <wsp:Policy>\n" +
73 " <sp:Basic256/>\n" +
74 " </wsp:Policy>\n" +
75 " </sp:AlgorithmSuite>\n" +
76 "</wsp:Policy>\n" +
77 "</sp:AsymmetricBinding>";
78
79 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
80 X509TokenSecurityEvent initiatorX509TokenSecurityEvent = new X509TokenSecurityEvent();
81 X509SecurityTokenImpl securityToken = getX509Token(WSSecurityTokenConstants.X509V3Token);
82 securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
83 initiatorX509TokenSecurityEvent.setSecurityToken(securityToken);
84 policyEnforcer.registerSecurityEvent(initiatorX509TokenSecurityEvent);
85
86 X509TokenSecurityEvent recipientX509TokenSecurityEvent = new X509TokenSecurityEvent();
87 securityToken = getX509Token(WSSecurityTokenConstants.X509V3Token);
88 securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_ENCRYPTION);
89 recipientX509TokenSecurityEvent.setSecurityToken(securityToken);
90 policyEnforcer.registerSecurityEvent(recipientX509TokenSecurityEvent);
91
92 List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
93 protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
94 protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
95 SignedPartSecurityEvent signedPartSecurityEvent =
96 new SignedPartSecurityEvent(
97 (InboundSecurityToken)recipientX509TokenSecurityEvent.getSecurityToken(), true, protectionOrder);
98 signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
99 policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
100
101 ContentEncryptedElementSecurityEvent contentEncryptedElementSecurityEvent =
102 new ContentEncryptedElementSecurityEvent(
103 (InboundSecurityToken)recipientX509TokenSecurityEvent.getSecurityToken(), true, protectionOrder);
104 contentEncryptedElementSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
105 policyEnforcer.registerSecurityEvent(contentEncryptedElementSecurityEvent);
106
107 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
108 operationSecurityEvent.setOperation(new QName("definitions"));
109 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
110
111 policyEnforcer.doFinal();
112 }
113
114 @Test
115 public void testPolicyNegative() throws Exception {
116 String policyString =
117 "<sp:AsymmetricBinding xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
118 "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
119 "<sp:InitiatorToken>\n" +
120 " <wsp:Policy>\n" +
121 " <sp:X509Token>\n" +
122 " <sp:IssuerName>CN=transmitter,OU=swssf,C=CH</sp:IssuerName>\n" +
123 " <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
124 " <sp:RequireThumbprintReference/>\n" +
125 " <sp:WssX509V3Token11/>\n" +
126 " </wsp:Policy>\n" +
127 " </sp:X509Token>\n" +
128 " </wsp:Policy>\n" +
129 "</sp:InitiatorToken>\n" +
130 "<sp:RecipientToken>\n" +
131 " <wsp:Policy>\n" +
132 " <sp:X509Token>\n" +
133 " <sp:IssuerName>CN=transmitter,OU=swssf,C=CH</sp:IssuerName>\n" +
134 " <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
135 " <sp:RequireThumbprintReference/>\n" +
136 " <sp:WssX509V3Token11/>\n" +
137 " </wsp:Policy>\n" +
138 " </sp:X509Token>\n" +
139 " </wsp:Policy>\n" +
140 "</sp:RecipientToken>\n" +
141 " <sp:AlgorithmSuite>\n" +
142 " <wsp:Policy>\n" +
143 " <sp:Basic256/>\n" +
144 " </wsp:Policy>\n" +
145 " </sp:AlgorithmSuite>\n" +
146 "</wsp:Policy>\n" +
147 "</sp:AsymmetricBinding>";
148
149 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
150 X509TokenSecurityEvent initiatorX509TokenSecurityEvent = new X509TokenSecurityEvent();
151 X509SecurityTokenImpl securityToken = getX509Token(WSSecurityTokenConstants.X509V1Token);
152 securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
153 initiatorX509TokenSecurityEvent.setSecurityToken(securityToken);
154 policyEnforcer.registerSecurityEvent(initiatorX509TokenSecurityEvent);
155
156 X509TokenSecurityEvent recipientX509TokenSecurityEvent = new X509TokenSecurityEvent();
157 securityToken = getX509Token(WSSecurityTokenConstants.X509V3Token);
158 securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_ENCRYPTION);
159 recipientX509TokenSecurityEvent.setSecurityToken(securityToken);
160 policyEnforcer.registerSecurityEvent(recipientX509TokenSecurityEvent);
161
162 List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
163 protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
164 protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
165 SignedPartSecurityEvent signedPartSecurityEvent =
166 new SignedPartSecurityEvent(
167 (InboundSecurityToken)recipientX509TokenSecurityEvent.getSecurityToken(), true, protectionOrder);
168 signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
169 policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
170
171 ContentEncryptedElementSecurityEvent contentEncryptedElementSecurityEvent =
172 new ContentEncryptedElementSecurityEvent(
173 (InboundSecurityToken)recipientX509TokenSecurityEvent.getSecurityToken(), true, protectionOrder);
174 contentEncryptedElementSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
175 policyEnforcer.registerSecurityEvent(contentEncryptedElementSecurityEvent);
176
177 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
178 operationSecurityEvent.setOperation(new QName("definitions"));
179
180 try {
181 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
182 fail("Exception expected");
183 } catch (WSSecurityException e) {
184 assertEquals(e.getMessage(),
185 "X509Certificate Version 3 mismatch; Policy enforces WssX509V3Token11");
186 assertEquals(e.getFaultCode(), WSSecurityException.INVALID_SECURITY);
187 }
188 }
189 }